Prepare SAP HANA server For SSL

The COMMONCRYPTOLIB and OPENSSL (If you are using self signed certificate) are required on the HANA server. This is normally already installed along with your HANA installation.

CommonCryptoLib (libsapcrypto.so) is installed by default as part of SAP HANA server installation at $DIR_EXECUTABLE.

Check OPENSSL.

Certificates stored in the file system are contained in database-specific personal security environments or PSEs (default $SECUDIR/sapsrv.pse).

Navigate to $SECUDIR

This ensures all the prerequisites are met and all environment variables are properly set.

Create the PSE and Server Certificate Requests Using SAPGENPSEImportant Note:

Do not enter password when requested for PSE PIN/paraphrase as it is not supported!

Also, to secure internal communication, canonical name should be host specific, eg CN=”<hostname_with_domain>”. So when creating private CA on each host, parameter CN will be unique.

This creates two files:

Create root the certificate for this hostHere you can use the pass phrase that you want.
You now have two more files in the directory:

Sign the certificate request.You can get the certificate signed by CA. But since this is just for demo, we will sign the certificate using openssl.
A new file with name sapsrv.pem will be created in the same directory, $SECURDIRWith this step you have the certificate ready that can be used on Client machines.
In the next blog we will see how to use this certificate to login to HANA Database via HANA Studio using SSL.

Import the server certificate into pse.Note that the pse file has a new timestamp with certificate added.